Integration of Juniper ATP Cloud and Web Filtering on MX Series Routers
Overview
Juniper Advanced Threat Prevention (Juniper ATP Cloud) is integrated with MX series routers to protect all hosts in your network against evolving security threats by employing cloud-based threat detection software with a next-generation firewall system.
This topic provides an overview of Juniper ATP Cloud, Policy Enforcer, Security Intelligence, Web filtering, and their benefits when integrated on MX Series routers (MX240, MX480 and MX960).
- Benefits
- Understanding Policy Enforcer and Juniper ATP Cloud
- Security Intelligence (SecIntel) - Overview
- Web Filtering (URL-Filterd) - Overview
Benefits
Simplifies deployment and enhances the anti-threat capabilities when integrated with the MX routers.
Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage against sophisticated, evasive threats.
Checks inbound and outbound traffic with policy enhancements that allow users to stop malware, quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
Supports High Availability to provide uninterrupted service.
Provides scalability to handle increasing loads that require more computing resources, increased network bandwidth to receive more customer submissions, and a large storage for malware.
Provides deep inspection, actionable reporting, and inline malware blocking.
Understanding Policy Enforcer and Juniper ATP Cloud
Juniper Networks Security Director comprises a feature called the Policy Enforcer (PE) that enables it to learn from threat conditions, automate the policy creation, and to dynamically deploy enforcement to Juniper devices in the network.
Figure 1 illustrates the traffic flow between the PE, the Juniper ATP Cloud, and the MX router which functions as a firewall.
Policy Enforcer (PE) learns from threat conditions, automates the policy creation, and deploys enforcement to Juniper devices in the network.
Juniper Advanced Threat Prevention (Juniper ATP Cloud) protects all hosts in your network by employing cloud-based threat detection software with a next-generation firewall system.
MX router fetches the threat intelligence feeds from Policy Enforcer (PE) and implements those policies to quarantine compromised hosts. It comprises of the following important components:
Security Intelligence process
Web Filtering process
Firewall process
To understand the functionality of the system architecture consider the following example—if a user downloads a file from the Internet and that file passes through an MX firewall, the file can be sent to the Juniper ATP Cloud cloud for malware inspection (depending on your configuration settings.) If the file is determined to be malware, PE identifies the IP address and MAC address of the host that downloaded the file. Based on a user-defined policy, that host can be put into a quarantine VLAN or blocked from accessing the Internet.
MX Series routers (MX240, MX480, and MX960) can be integrated with the Juniper ATP Cloud to prevent compromised hosts (botnets) from communicating with command and control servers:
Starting in Junos OS Release 18.4R1 with the Adaptive Services as an Inline security capability
Starting in Junos OS Release 19.3R2 with the Next Gen Services as an Inline security capability
Security Intelligence (SecIntel) - Overview
The Security Intelligence process (IPFD), is responsible for downloading the security intelligence feeds and parsing from the feed connector or ATP Cloud cloud feed server. The IPFD process on the MX platforms fetches the command and control IPv4/IPv6 feeds from Policy Enforcer. C&C feeds are essentially a list of servers that are known command and control servers for botnets. The list also includes servers that are known sources for malware downloads. The information thus fetched is saved in a file (urlf_si_cc_db.txt) created under the /var/db/url-filterd directory.
The file format of the disallowed IPs sent by IPFD to the web filtering process is as follows:
IPv4 address | IPv6 address, threat-level
.
The threat-level
is an integer
ranging from 1 to 10 to indicate the threat level of files scanned
for malware and for infected hosts. Here, 1 represents the lowest
threat level and 10 represents the highest threat level.
For example: 178.10.19.20, 4
Here, 178.10.19.20 indicates the disallowed IP and 4 indicates
the threat-level
.
The C&C feed database is synced onto the backup Routing Engine. IPFD then shares the information to the web filtering process (url-filterd). The web filtering process reads the file contents and configures the filters accordingly.
Configuring Security Intelligence to Download the CC Feed from Policy Enforcer
To download the command and control IPv4/IPv6 feeds from Juniper
ATP Cloud/Policy Enforcer, include the security-intelligence
statement at the [edit services]
hierarchy as shown in
the following example:
security-intelligence { authentication { auth-token 7QGSBL5ZRKR5UHUZ2X2R6QLHB656D5EN; } url https://10.92.83.245:443/api/v1/manifest.xml; traceoptions { file security-inteligence.log size 1g; level all; flag all; } }
Web Filtering (URL-Filterd) - Overview
The web filtering process reads the file contents fetched from the IPFD and configures the filters on the Packet Forwarding Engine accordingly. The web filtering process enforces the command and control feeds by programming the filters in the Packet Forwarding Engine to block the packets destined to the blocked IP addresses and to generate logs for reporting the incident.
Figure 2 illustrates the way C&C feed is fetched by the IPFD and then processed by the web filtering process.
The web filter profile can have more than one templates. Each
template consists of a set of configured logical interfaces for Web
filtering and one or more terms. A term is a set of match criteria
with actions to be taken if the match criteria is met. To
configure the web filter profile to use dynamically fetched C&C
feed, you can configure the security-intelligence-policy
command under the [edit services web-filter profile profile-name
hierarchy level. You need not configure
a term for a security-intelligence-policy
based web filter
profiles.
You can configure the following threat level actions for the
web filter profile at the edit web-filter profile profile-name security-intelligence-policy threat-level threat-level threat-action
hierarchy level:
drop
drop-and-log
log
You can configure only one threat-action
for each threat level
. If the threat-action
is not configured
for a particular threat level
, the default threat-action
is accept
.
See Also
Configuring the Web Filter Profile for Sampling
Starting in Junos OS
Release 19.3R1, web filtering process (url-filterd) supports inline
sampling of packets as a threat level action. The packets are dropped, logged, and sampled based on the threat-action
you configure. For scaled scenarios, sampling of packets is preferred
over the logging option. Along with the existing threat level actions,
you can configure the following threat level actions on the web filter
profile at the edit web-filter profile profile-name security-intelligence-policy threat-level threat-level threat-action
hierarchy level:
drop-and-sample
drop-log-and-sample
log-and-sample
sample
The inline flow monitoring samples the packets and sends the flow records in IPFIX format to a flow collector. You can derive the threat level for the sampled packets received at the external collector by matching the received IP from the sampled packets with the corresponding IP entry in /var/db/url-filterd/urlf_si_cc_db.txt. You can configure sampling using any of the following methods:
Associate a sampling instance with the FPC on which the media interface is present at the
[edit chassis]
hierarchy level. If you are configuring sampling of IPv4 flows, IPv6 flows, or VPLS flows, you can configure the flow hash table size for each family.Configure the template properties for inline flow monitoring at the
[edit services flow-monitoring
hierarchy level.Configure a sampling instance and associate the flow-server IP address, port number, flow export rate, and specify the collectors at the
[edit forwarding-options
hierarchy level.
- Associate a Sampling Instance with the FPC
- Configure a Sampling Instance and Associate the Template With the Sampling Instance.
- Configure the sample instance and associate the flow-server IP address and other parameters.
- Example: Configuring Web-filter Profile to Define Different Threat-Levels
Associate a Sampling Instance with the FPC
To associate the defined instance with a particular FPC, MPC,
or DPC, you include the sampling-instance
statement at
the [edit chassis fpc number]
hierarchy level, as shown
in the following example:
chassis { redundancy { graceful-switchover; } fpc 0 { pic0 { inline-services { bandwidth 10g; } } } pic 2 { inline-services { bandwidth 10g; } } pic 3 { inline-services { bandwidth 10g; } } sampling-instance 1to1; inline-services{ flow-table-size { ipv4-flow-table-size 5; ipv6flow-table-size 5; } } }
Configure a Sampling Instance and Associate the Template With the Sampling Instance.
To configure the template properties for inline flow monitoring,
include the following statements at the edit services flow-monitoring
hierarchy level as shown in the following example:
services { flow-monitoring { version-ipfix { template ipv4 { flow-active-timeout 60; flow-inactive-timeout 60; template-refresh-rate { packets 48000; seconds 60; } option-refresh-rate { packets 48000; seconds 60; } ipv4-template; template ipv6 { flow-active-timeout 60; flow-inactive-timeout 60; template-refresh-rate { packets 48000; seconds 60; } ipv6-template; } } }
Configure the sample instance and associate the flow-server IP address and other parameters.
To configure a sampling instance and associate the flow-server
IP address and other parameters. include the following
statements at the [edit forwarding-options]
hierarchy,
as shown in the following example:
forwarding-options { sampling { traceoptions { file ipfix.log size 10k; } instance { 1to1 { input { rate 1; } family inet { output { flow-server 192.168.9.194; port 2055;; autonomous-system-type origin; version-ipfix { template { ipv4; } } } inline-jflow { source-address 192.168.9.195; } } } family inet6 { output { flow-server 192.168.9.194; port 2000; autonomous-system-type origin; version-ipfix { template { ipv6; } } } inline-jflow { source-address 192.168.9.195; } } } } }
Example: Configuring Web-filter Profile to Define Different Threat-Levels
web-filter { profile Profile1 ; security-intelligence-policy{ file-type txt; threat-level 7 { threat-action { log-and-sample; } } threat-level 8 { threat-action { drop-log-and-sample; } } threat-level 10 { threat-action { drop-log-and-sample; } } threat-level 5{ threat-action { drop-log-and-sample; } } threat-level 6 { threat-action { drop-log-and-sample; } } threat-level 9{ threat-action { drop-log-and-sample; } } } url-filter-template template1 { client-interfaces ge-0/0/4.0; client-routing-instance inet.0; } } traceoptions { file webfilter_log size 1g; level all; flag all; } } }
See Also
GeoIP Filtering
Overview
The GeoIP feeds are essentially a list of IP address to country code mappings. Starting in Junos OS 21.4R1, you can configure IP-based Geo locations on MX Series routers to fetch the GeoIP feeds from Policy Enforcer. By deploying the GeoIP feeds, you can enable the network to prevent devices from communicating with IP addresses belonging to specific countries.
You can configure the security intelligence process (IPFD) on MX series routers to fetch the GeoIP feeds from Policy Enforcer. Similar to existing C&C IP or IPv6 feeds, IPFD downloads the GeoIP feeds from the Policy Enforcer. IPFD translates the feed in the file format that is processed by the web-filtering process (url-filterd) subsequently.
Starting in Junos OS 22.1R1, you can configure the security intelligence process (IPFD) on MX series routers to fetch the GeoIP feeds from Juniper ATP Cloud. Similar to existing C&C IP or IPv6 feeds, IPFD downloads the GeoIP feeds from the Juniper ATP Cloud.
How to Configure GeoIP Filtering on MX Series Routers
The information fetched by the IPFD is saved in a file (urlf_si_geoip_db.txt) created at the /var/db/url-filterd location.
The format of the file sent by IPFD to the web filtering process is as follows:
IPv4 address|IPv6
address,Prefix,threat-level,VRF-name,Gen-num
.
Gen-num is always 0. VRF-name refers to a country code.
For example, 178.10.19.22,12,255,US,0
IPFD and the web-filtering process maintain a pconn connection for communicating the creation or update of files containing GeoIP feeds. The Web-Filtering process enforces the GeoIP feeds by programming the filters in the PFE to block the packets destined to the blocked countries. The APIs provided by liburlf are used to validate and parse the files.
The web-filtering process reads the file containing the list of IP addresses and the PFE filters are programmed with the destination IP addresses listed in the feed and the action configured for the associated country.
-
Global filter- Countries are configured under global rule within a profile. All IP addresses for countries specific to that global rule are programmed in a single filter and applied to all templates in the profile. You can configure a profile to dynamically fetch GeoIP feed by configuring
geo-ip rule match country country-name
at the[edit services web-filter profile profile-name security-intelligence-policy]
hierarchy . Group filter- Groups of countries are configured under a template. All IP addresses associated with the countries for a Group are programmed in a group filter applied to the templates under which that group is configured. Group is a list of countries defined in a json file that is parsed by liburlf.
To configure a group filter, you must configure a json file at the /var/db/url-filterd location, where the group.json file contains the group mappings.
The format of the json file is as follows:
[
{
"group_name" : "group1",
"country" : ["ZA","YE"]
},
{
"group_name" : "group2",
"country" : ["YT"]
}
]
To dynamically fetch GeoIP feeds, you can configure a global filter using a single profile or configure multiple group filters using templates. We do not support both the configurations together.
The groups created in the json file are referred in the GeoIP match clause defined at the
[edit services web-filter profile profile-name url-filter-template template-name security-intelligence-policy geo-ip rule match group group-name]
hierarchy.
Global Allowlist and Global Blocklist
You can choose to customize the IP feed by adding your own allowlist and blocklist. This can be helpful to manage intelligence feeds that are custom to your security operations center or as a temporary measure for false positives. Starting in Junos OS release 21.4R1, you can allow or block certain IP addresses based on configuration through a CLI or a file. You can either configure separate list for allowlist and a separate list for blocklist or include the IP addresses in a file and include the file name in the CLI configuration.
You
can create an IP-address-list
at the [edit services
web-filter]
hierarchy. Here, IP-address-list
contains the list
of IP addresses that must be allowed or blocked. You can also create a file containing the
IP addresses that need to be allowed or blocked in the
/var/db/url-filterd location. The IP addresses configured as a part
of the file or IP address list are programmed as a part of the global filter, which is
attached to all templates.
You can define a global allowlist by configuring
white-list (IP-address-list | file-name)
at the
edit services web-filter profile profile-name
security-intelligence-policy
hierarchy. You can define a global blocklist by
configuring the black-list (IP-address-list | file-name)
at the edit services web-filter profile profile-name
security-intelligence-policy
hierarchy. Here, the
IP-address-list, refers to the name of IP address-list specified at the
[edit services web-filter]
hierarchy. The file-name
refers to the name of the file which contains the list of the IP addresses that must be
allowed or blocked. The file must be in the /var/db/url-filterd
location and must have the same name as in the
configuration.
The format of the global allowlist file is as follows:
Security Intelligence Policy
Enforcement Version
2.0
IP Address,Prefix,Threat-level,VRF-Name,Gen-Num 198.51.100.1,32,0,junos-default-vrf,0
The format of the global blocklist file is as follows:
Security Intelligence Policy
Enforcement Version
2.0
IP Address,Prefix,Threat-level,VRF-Name,Gen-Num 192.168.1.1,255,junos-default-vrf,0
The web-filtering process parses the list of global allowlist or global blocklist IP addresses and programs the implicit filter terms with the configured IP addresses to either allow or block the packets.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.